What Is Claimed Is: 

1 LA method for managing public keys through a server that stores 

2 associations between public keys and email addresses, comprising: 

3 receiving a first message from a client at the server, the first message 

4 containing a request for approval of a client public key along with the client 

5 public key; 

6 sending a second message from the server to the client, the second 

7 message containing a request for identity confirmation that includes the client 

8 public key; and 

9 if a third message is received from the client at the server containing an 

10 affirmative response to the request for identity confirmation, storing an 

1 1 association between a client email address and the client public key in a database, 

12 so that other clients can look up the client public key in the database. 

1 2. The method of claim 1, further comprising: 

2 receiving a communication from a second client at the server, the 

3 communication including the client email address; 

4 performing a lookup in the database based on the client email address to 

5 determine if the client email address is associated with the client public key; 

6 if the lookup indicates that the client email address is associated with the 

7 client public key, sending a key identifier for the client public key from the server 

8 to the client, wherein the key identifier allows the client to determine whether the 

9 client possesses the client public key. 

1 3. The method of claim 1 , 



16 

Attorney Docket No. NA00- 13402 Inventor: William F. Price III 

ARPWPORSCHEVMY DOCU M ENTSVN ET WORK ASSOCIATES\NA00-13402\NA00-!3402 APPLICATION. DOC 



2 wherein the request for approval includes key reconstitution information 

3 that allows the client to decrypt to an encrypted client private key at the client if 

4 the client forgets a passphrase for decrypting the encrypted client private key; and 

5 wherein the method further comprises storing the key reconstitution 

6 information in the database. 

1 .4. / The method of claim 1, further comprising: 

2 decrypting the request for approval at the server using a server private key, 

3 the request for approval having been encrypted with a corresponding server public 

4 key by the client; and 

5 using the client public key to verify that the request for approval is signed 

6 by a corresponding client private key. 

1 5. / The method of claim 1 , wherein prior to sending the second 

2 message, the method further comprises: 

3 determining if the database already contains a prior client public key 

4 associated with the client email address; and 

5 if the database already contains the prior client public key, including the 



6 prior client public key in the request for identity confirmation sent to the client in 

7 the second message, so that the client can indicate that the server should replace 

8 the prior client public key with the client public key. 



1 6. , The method of claim 1, further comprising: 

2 receiving a request at the server to remove the client public key from the 

3 database; 

4 if the request is signed with a corresponding client private key, removing 

5 the client public key from the database. 
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1 7. The method of claim 1 , wherein the database contains at most one 

2 key for each email address. 

1 8. The method of claim 1 , wherein the database contains at most one 

2 email address for each key. 

1 9 J The method of claim 1, further comprising: 

2 periodically sending a verification request from the server to the client 

3 email address asking if the client public key remains valid; and 

4 if an affirmative response to the verification request is not received, 

5 removing the client public key from the database. 

1 10. A computer-readable storage medium storing instructions that 

2 when executed by a computer cause the computer to perform a method for 

3 managing public keys through a server that stores associations between public 

4 keys and email addresses, the method comprising: 

5 receiving a first message from a client at the server, the first message 

6 containing a request for approval of a client public key along with the client 

7 public key; 

8 sending a second message from the server to the client, the second 

9 message containing a request for identity confirmation that includes the client 
10 public key; and 

H if a third message is received from the client at the server containing an 

12 affirmative response to the request for identity confirmation, storing an 

1 3 association between a client email address and the client public key in a database, 

14 so that other clients can look up the client public key in the database. 
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1 11. The computer-readable storage medium of claim 10, wherein the 

2 method further comprises: 

3 receiving a communication from a second client at the server, the 

4 communication including the client email address; 

5 performing a lookup in the database based on the client email address to 

6 determine if the client email address is associated with the client public key; 

7 if the lookup indicates that the client email address is associated with the 

8 client public key, sending a key identifier for the client public key from the server 

9 to the client, wherein the key identifier allows the client to determine whether the 
10 client possesses the client public key. 

1 12. The computer-readable storage medium of claim 10, 

2 wherein the request for approval includes key reconstitution information 

3 that allows the client to decrypt to an encrypted client private key at the client if 

4 the client forgets a passphrase for decrypting the encrypted client private key; and 

5 wherein the method further comprises storing the key reconstitution 

6 information in the database. 

1 13. The computer-readable storage medium of claim 1 0, wherein the 

2 method further comprises: 

3 decrypting the request for approval at the server using a server private key, 

4 the request for approval having been encrypted with a corresponding server public 

5 key by the client; and 

6 using the client public key to verify that the request for approval is signed 

7 by a corresponding client private key. 
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1 14. The computer-readable storage medium of claim 10, wherein prior 

2 to sending the second message, the method further comprises: 

3 determining if the database already contains a prior client public key 

4 associated with the client email address; and 

5 if the database already contains the prior client public key, including the 

6 prior client public key in the request for identity confirmation sent to the client in 

7 the second message, so that the client can indicate that the server should replace 

8 the prior client public key with the client public key. 

1 15. The computer-readable storage medium of claim 1 0, wherein the 

2 method further comprises: 

3 receiving a request at the server to remove the client public key from the 

4 database; 

5 if the request is signed with a corresponding client private key, removing 

6 the client public key from the database. 

1 1 6. The computer-readable storage medium of claim 1 0, wherein the 

2 database contains at most one key for each email address. 

1 17. The computer-readable storage medium of claim 10, wherein the 

2 database contains at most one email address for each key. 

1 18. The computer-readable storage medium of claim 10, wherein the 

2 method further comprises: 

3 periodically sending a verification request from the server to the client 

4 email address asking if the client public key remains valid; and 
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1 if an affirmative response to the verification request is not received, 

2 removing the client public key from the database. 

1 1 9. An apparatus that facilitates managing public keys through a server 

2 that stores associations between public keys and email addresses, the apparatus 

3 comprising: 

4 a receiving mechanism at the server that is configured to receive a first 

5 message from a client, the first message containing a request for approval of a 

6 client public key along with the client public key; 

7 a sending mechanism that is configured to send a second message to the 

8 client, the second message containing a request for identity confirmation that 

9 includes the client public key; and 

1 0 a database located at the server; 

1 1 a storing mechanism coupled to the database, wherein if the receiving 



12 mechanism receives a third message from the client containing an affirmative 

1 3 response to the request for identity confirmation, the storing mechanism is 

14 configured to store an association between a client email address and the client 

1 5 public key in a database, so that other clients can look up the client public key in 

16 the database. 



1 20. The apparatus of claim 19, further comprising a key lookup 

2 mechanism that is configured to: 

3 receive a communication from a second client at the server, the 

4 communication including the client email address; 

5 perform a lookup in the database based on the client email address to 

6 determine if the client email address is associated with the client public key; and 

7 to 
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8 send a key identifier for the client public key from the server to the client, 

9 if the lookup indicates that the client email address is associated with the client 

10 public key, wherein the key identifier allows the client to determine whether the 

1 1 client possesses the client public key. 

1 21. The apparatus of claim 1 9, 

2 wherein the request for approval includes key reconstitution information 

3 that allows the client to decrypt to an encrypted client private key at the client if 

4 the client forgets a passphrase for decrypting the encrypted client private key; and 

5 wherein the storing mechanism is additionally configured to store the key 

6 reconstitution information in the database. 

1 22. The apparatus of claim 1 9, further comprising: 

2 a decryption mechanism that is configured to decrypt the request for 

3 approval at the server using a server private key, the request for approval having 

4 been encrypted with a corresponding server public key by the client; and 

5 a verification mechanism that is configured to use the client public key to 

6 verify that the request for approval is signed by a corresponding client private key. 

1 23. The apparatus of claim 1 9, further comprising a lookup mechanism 

2 that is configured to determine if the database already contains a prior client 

3 public key associated with the client email address; 

4 wherein if the database already contains the prior client public key, the 

5 sending mechanism is additionally configured to include the prior client public 

6 key in the request for identity confirmation sent to the client, so that the client can 

7 indicate that the server should replace the prior client public key with the client 

8 public key. 
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1 24. The apparatus of claim 19, further comprising a key removal 

2 mechanism that is configured to: 

3 receive a request at the server to remove the client public key from the 

4 database; and to 

5 remove the client public key from the database, if the request is signed 

6 with a corresponding client private key. 

1 25. The apparatus of claim 19, wherein the database contains at most 

2 one key for each email address. 

1 26. The apparatus of claim 19, wherein the database contains at most 

2 one email address for each key. 

1 27. The apparatus of claim 1 9, further comprising a key removal 

2 mechanism that is configured to: 

3 send a verification request from the server to the client email address 

4 asking if the client public key remains valid; and to 

5 remove the client public key from the database, if an affirmative response 

6 to the verification request is not received. 
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